# kranken13at.com — MALICIOUS > PhishDestroy identifies kranken13at.com as an active credential-phishing site impersonating health services. ## Summary PhishDestroy threat intelligence has identified an active credential-phishing domain, kranken13at.com, that masquerades as a legitimate health-services portal to harvest user login credentials. The site presents a convincing replica of a well-known health-insurance interface and lures victims through phishing emails and spoofed login pages, tricking users into surrendering their account details. Once harvested, credentials are exfiltrated to backend servers controlled by threat actors for subsequent identity theft, financial fraud, or further spear-phishing campaigns targeting the victim’s contacts. This tactic undermines trust in health-service brands and exposes users to prolonged account compromise and reputational damage. Technical indicators confirm kranken13at.com as a high-risk host. VirusTotal analysis shows 5 out of 95 security vendors have flagged the domain, reflecting partial but not universal detection. The domain was registered on May 18, 2024, less than one month ago, indicating a recently stood-up operation designed for temporary use. The hosting infrastructure resolves to IP address 104.21.72.134, which has been linked to multiple phishing campaigns. The SSL certificate is issued by Google Trust Services, a tactic used to appear legitimate and evade browser warnings. The domain is registered through NICENIC INTERNATIONAL GROUP CO., LIMITED, a registrar that has been observed in several bulk-registration campaigns tied to malicious domains. These combined factors elevate the threat level and suggest a coordinated, short-lived phishing operation targeting health-service users. If you have visited kranken13at.com, take immediate action to secure your accounts. Change passwords for any credentials entered on the site, enable multi-factor authentication where available, and monitor accounts for unauthorized access or transactions. Report the domain to your organization’s security team or to your email provider for blocking. If you entered payment information, contact your financial institution to request card monitoring or replacement. Avoid interacting with any future emails or messages from this domain. Use trusted bookmarks or official app stores to access health-service portals, and verify URLs carefully before entering credentials. Proactive vigilance remains the best defense against credential-phishing threats. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2024-05-18 07:19:10 - Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED - IP: 104.21.72.134 ## Detection Status - VirusTotal: 5 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/805a429a-420a-42e0-a7f9-9081e86072b9 - PhishDestroy: https://phishdestroy.io/domain/kranken13at.com/ - LLM endpoint: https://phishdestroy.io/domain/kranken13at.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/kranken13at.com/ Last updated: 2026-03-27